SpartanTec, Inc. Wilmington: The Hidden Costs Of Cyberattacks

Cyberattacks can have many effects on an organization. The impact will vary depending upon the severity and nature of the incident.

However, common perceptions are shaped largely by what companies must report publicly, namely theft of personally identifiable information (PII), personal payment data and personal health information. The cost of customer notification, credit monitoring and legal penalties are the most common topics. The industry has made significant progress in this area and is now able to agree on the “cost per record” calculation for data breaches by consumers.

However, cases of intellectual property theft, espionage and data destruction, attacks upon core operations, and attempts to disable critical infrastructure are rarely brought to the public’s attention. These attacks can have a far greater impact on organizations than what is visible. They also result in additional costs that are often harder to quantify and hidden from the public. Deloitte Advisory’s new study “Beyond the surface of a Cyberattack: A deeper Look at Business Impacts” recently highlighted the extent and duration of cyberattacks in financial terms. CFO Insights will concentrate on the seven costs that may not be obvious and why they are important to consider when trying to determine the total cost.

Below the surface costs

The cyber report revealed 14 business effects of cyber incidents as they unfold over a five year incident response process. There were seven direct and seven hidden costs. Different financial modeling techniques were used for the intangible cost estimates (see “Assigning value and intangible losses”) Research showed that data breaches are more costly than their “hidden” counterparts. They accounted for less that 5 percent of the total business effect in Deloitte scenarios.

Cyberattacks hidden costs are important to CFOs because of their impact.

Increases in insurance premiums Cyber incident-related premium increases can lead to an increase in insurance premiums. Unfortunately, there is not much information available about actual premium increases after cybersecurity attacks. Deloitte did informal research among cyber insurance providers and found that policyholders can face a 200% increase in premiums or even be denied coverage until strict conditions are met. * Our sources say that future costs can be affected by factors such as the willingness and depth of information given by policyholders upon reviewing the incident, the plan of the policyholder to improve incident handling and other aspects of its security program, anticipated litigation, and assumptions about the company’s cybersecurity maturity.

Costs to raise debt are rising. An increase in the cost of raising debt is caused by a decrease in credit ratings. The victim organization will be charged higher interest rates when borrowing capital. This could happen when they are trying to raise new debt or restructure existing debt. In the months after a cyber attack, organizations are perceived as more risky borrowers. Deloitte compared the credit ratings of nine companies from the same industry, which were all comparable in size, and found that the average Standard & Poor’s credit rating was A. These companies were also compared to companies that had suffered a cyber attack. In the short-term, credit-rating agencies tend to downgrade one-level companies who have suffered a cyber attack.

Operational disruption and destruction. Operational disruption or destruction is a variable cost category. It includes costs related to the alteration or manipulation of usual business operations as well as costs linked to rebuilding operational capacities. This could be the need to fix equipment or facilities, create temporary infrastructure, divert resources, or increase existing resources to support other business operations that replace those temporarily disabled. This could include the loss of goods and services. Each situation is unique and therefore requires a detailed understanding of many information components.

Customer relationships are lost value. It can be difficult to quantify the number of customers lost during the initial period following a breach. Marketing teams and economists approach this problem by assigning a value to each customer or member in order to determine how much investment the business needs to acquire them. Then they look at the revenue this customer or member is likely to generate over time for the business. These numbers can be compared by industry to determine how much investment is required to acquire and attract new customers.

The value of the lost revenue from contracts. The value of the lost contract revenue will include the revenue, lost chances, and ultimate income loss, linked with contracts ended due to a cyber attack. Deloitte calculated the value of test cases to determine the financial impact of lost premiums or contracts before and after the cyberattack. It was assumed that the company would lose revenues if it suffered a cyberattack. The present value, which is an estimate of future income streams in dollar terms. Since one could earn interest on the dollar received today, a dollar today would be worth more than a dollar in future dollars), of cash flows that the company would generate over the term of these contracts was then determined.

Trade name devaluation. The devaluation of trade names is an intangible category that refers to the decrease in value of symbols, names, and marks used by organizations to differentiate their products and services. A brand name refers to a company or product name, while a trade name refers to the entire organization. The likely value of a trade name before and after a cyber attack must be evaluated to determine its financial impact on a company’s business name. Deloitte used the relief-from–royalty method to value the trade name. Commonly used to value IP assets like trade names, the relief-from-royalty approach estimates the value by analyzing the price another entity would pay to license the company’s trade name. Deloitte used the actual royalties or rates that were paid in royalty transactions for similar IP types to establish a reasonable royalty fee. Profit margins across industries were also examined to determine how much a typical company would be able to pay.

Intellectual property loss. The loss of intellectual property (IP) is an intangible expense that results from losing exclusive control over trade secrets and copyrights, investment strategies, and other proprietary or confidential information. This can cause a loss of competitive advantage and revenue loss, as well as lasting and possibly irreparable economic damages to the company. IP includes, but is not limited to, patents and designs, copyrights trademarks and trade secrets. Trade secrets, unlike other IP types, are indefinitely protected until they are publicly disclosed. The value of IP can be approximated by estimating how much another party would pay for it to be licensed.

A fuller cost picture

Despite all the media attention given to major data breaches, business leaders, including CFOs rarely see the reality behind an organization’s efforts to recover from it. Cyber incidents are not just a technical issue. They often impact business value and performance, and go beyond technology. You can also see the subtler effects of cyber incidents.

Multidisciplinary approaches are required to understand the more subtle effects of cyberattacks on computer security. This requires deep understanding of cyber incidents, as well as financial quantification, valuation techniques, business context, and financial quantification. Leaders can improve their ability to recover from cyberattacks and manage cyber risk by having a better understanding of all the possible business effects, including the seven described here.